The process of identifying, analyzing, and evaluating potential threats and vulnerabilities to determine the likelihood and impact of security incidents on an organization.